Michael Haas | 2 Jul 13:12 2015
Picon

SecUploadKeepFiles + inspectFile

Hello,

In 2.9 when SecUploadKeepFiles is Off the inspectfile ist not working anymore. With Relevantonly and "on" its working.
In 2.7 and 2.8 it was also working with Off.
Is this an intended change or a bug?

Thanks in Advance
Michael

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Daniel Butcher | 1 Jul 14:06 2015
Picon

Integrating CAPTCHA

I am looking to install mod-security to prevent harvesting attacks. I would like to present Google reCAPTCHA to the client/user if we detect a potential attack, to enable real/human users to continue to the desired page.

Is this possible?

Regards

Dan
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Tinu Bansal | 30 Jun 07:38 2015

Regarding problem with timezone

Hi Everyone,

 

We are facing a weird issue in modsecurity 2.6.6. In webserver access logs, we are intermittently observing different timezone values.

 

Example:

 

Actual time stamp should be : 09/Jun/2015: 10:30:00 +0530

Intermittently timezone is shown as : 09/Jun/2015: 05:00:00 +0000

 

Request you to please help.

 

Thanks for your time and consideration.

 

- Tinu

 

**************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS***
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Alireza.M | 29 Jun 18:22 2015
Picon

problem with a form

Hello everyone
​I have a problem (false positive) with do a form submit in my webapp with one of my rules in sql injection base rule.

request  :
--b4738945-C--
act=insert&f_name=%D8%AA%D8%B3%D8%AA&l_name=%D8%AA%D8%B3%D8%AA&father=%D8%AD%D8%B3%DB%8C%D9%86%D8%B9%D9%84%DB%8C&id_no=4420117052&nation=4420117052&birthday=69%2F01%2F15&birth_place=%DB%8C%D8%B2%D8%AF&religion=%D8%A7%D8%B3%D9%84%D8%A7%D9%85&gender=2&marriage=2&phone=03538211678&mobile=00000000&fax=&email=test%40test.com&zipcode=45454854&address=&ins1=%D8%B3%D8%B4%DB%8C%D8%B4&sub1=&date1=&ave1=&side1=&ins2=&sub2=&date2=&ave2=&side2=&ins3=&sub3=&date3=&ave3=&side3=&ins4=&sub4=&date4=&ave4=&side4=&ins5=&sub5=&date5=&ave5=&side5=&study_act=&from1=&to1=&name1=&act_type1=&job1=&salary1=&tel1=&res1=&from2=&to2=&name2=&act_type2=&job2=&salary2=&tel2=&res2=&from3=&to3=&name3=&act_type3=&job3=&salary3=&tel3=&res3=&soft_title1=&soft_title2=&soft_title3=&skill_title1=&skill_title2=&skill_title3=&lang1=&lang2=&jobname=&hobby=&confirm=1&form_captcha_code=10535
--b4738945-F--
HTTP/1.1 403 Forbidden
Content-Length: 299
Keep-Alive: timeout=15, max=150
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


and rules that have contain a problem :
--b4738945-H--
Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:ins1. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: \xb4 found within ARGS:ins1: \xd8\xb3\xd8\xb4\xdb\x8c\xd8\xb4"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script


how can i resolve this problem without commenting this rule id?
thanks a lot

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Duy Linh Nguyen | 23 Jun 07:00 2015

[Mod Security IIS] How to make each website, each configuration.

Hi everyone,
I'm new to mod_security.
I'm using mod_security 2.9.0 to protect my server . Actually, my server contains so many websites and I want each website has its own configuration file. 
For example : 
- Site 1 has a.conf as its configuration
- Site 2 has b.conf as its configuration and Site 2 doesn't load a.conf

Can anyone help me please ?
Thank you
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Dave k | 23 Jun 00:33 2015
Picon

geoip and iis

Is it possible to install geoip on an iis box and have it work with modsecurity?
thanks!
 
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Duy Linh Nguyen | 19 Jun 03:53 2015

Về: Model binding (MVC) is blocked while SecRequestBodyAccess is on.

Hi everyone,
I've installed mod_security 2.7.5 successfully after a long time dealing with 2.9.0.
But now, I faced a problem.
As I created an MVC project and deploy to IIS server with mod_security is on. I created a simple login page with MVC 4, when I press login, username and password didn't send to my server . That's why my login function was fail.

Here is my C# project 

Can anyone help me please ? 
This isn't because of rules because I'm using base rules of mod_security 2.7.5 and no error hasn't logged in Event Viewer related to rules.

Thank you.




Vào ngày 16:50 Thứ Năm, 18 tháng 6 2015, Duy Linh Nguyen <redplane_dt <at> yahoo.com.vn> đã viết:


Hi everyone,
I've installed mod_security 2.7.5 successfully after a long time dealing with 2.9.0.
But now, I faced a problem.
As I created an MVC project and deploy to IIS server with mod_security is on. I created a simple login page with MVC 4, when I press login, username and password didn't send to my server . That's why my login function was fail.

Here is my C# project 

Can anyone help me please ? 
This isn't because of rules because I'm using base rules of mod_security 2.7.5 and no error hasn't logged in Event Viewer related to rules.

Thank you.


------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Duy Linh Nguyen | 15 Jun 08:36 2015

Block argument when it contains specific characters.

Hi everyone,
I'm new to mod security.
Currently, I want to use mod_security to block a request which has specific characters . For example : zzz.
Which means:
- When I type : localhost/Home/Index?a=zzz , mod_security will throws me an error of 403 or 503.

Can anyone help me to configure this please ?
Thank you,
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 15 Jun 06:36 2015

Questions for whitelisting duplicate http parameters

Hi there,
 
My mod security is coming up with an issue that failed to whitelist duplicated parameter(a.k.a ARGS_NAME). I noticed that Wordpress will let the browser make the request like the following:
 
http://wordpress_site/wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-&load%5B%5D=ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,wp-a11y,customize-base,customize-loader,thickbox,plugi&load%5B%5D=n-install,shortcode,media-upload,svg-painter,heartbeat,wp-auth-check,word-count,wplink&ver=4.2.2
 
We can find the duplicated parameter name "load[]" in the url above, where is encoded as "load%5B%5C". Modsecurity will block the request like that according to rule 981173, which is related to "SQL INJECTION". Therefore, I would like to whitelist the parameter named "load[]", and the following exception rule is added into my location_exception.conf:
 
SecRule ARGS_NAMES "^load\[\]$" "id:4000008, phase:2, nolog,auditlog, t:none, msg:'my comment', ctl:ruleRemoveTargetById=00000-9999999;ARGS:/load\[\]/, pass"
 
However, the request is still being blocked by mod security with the following messages:
 
Message: Pattern match "^load\\[\\]$" at ARGS_NAMES:load[]. [file "/opt/rule/modsecurity_crs_15_local_exceptions.conf"] [line "1"] [id "4000006"] [msg "my comment"]
Message: Pattern match "^load\\[\\]$" at ARGS_NAMES:load[]. [file "/opt/rule/modsecurity_crs_15_local_exceptions.conf"] [line "1"] [id "4000006"] [msg "my comment"]
Message: Pattern match "^load\\[\\]$" at ARGS_NAMES:load[]. [file "/opt/rule/modsecurity_crs_15_local_exceptions.conf"] [line "1"] [id "4000006"] [msg "my comment"]
Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\ <at> \\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:load[]. [file "/opt/rule/modsecurity_crs_41_sql_injection_attacks.conf"] [line "160"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:load[]: hoverIntent,common,admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
 
 
It seems that using ruleRemoveTargetById is not working properly while duplicate parameter names are given in the url. Can anyone helps me to get around with this issue? Thanks!
 
--
BR, Morris
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Dave k | 12 Jun 17:23 2015
Picon

another mlogc iis question

Is it possible to run mlogc in iis?  If so, can I get a brief outline of the steps involved?
 
Thanks!
 
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Pfeiffer, Bernhard | 12 Jun 07:04 2015
Picon

Rule 960032

Hey!

 

Is it possible to allow the Request Method PUT for one Request Filename?

 

This rule doesn’t work:

 

SecRule REQUEST_FILENAME "^/bla.bla.blu.at(.*)$" "id:'1000184',phase:1,t:none,nolog,pass,ctl:ruleRemoveById=960032"

 

I always get a deny.

 

Greets,

 

 

Ing. Bernhard PFEIFFER
Justizportale
B-JU-JQ


Bundesrechenzentrum GmbH
Hintere Zollamtsstraße 4, 1030 Wien
DVR: 0875597

Telefon: +43 1 71123 882269
Mobiltelefon: +43 664 88539204
E-Mail: bernhard.pfeiffer <at> brz.gv.at
Web: www.brz.gv.at

Denken Sie an die Umwelt bevor Sie diese Nachricht drucken.

Angaben gemäß §14 UGB:
Firmenbuchnummer: 160573m
Firmenbuchgericht: Handelsgericht Wien
Sitz der Gesellschaft: Wien


"This message may contain confidential and/or legally privileged information and is intended for use by the indicated addressee only.
If you are not the intended addressee:
(a) any disclosure, reproduction, distribution or action you take on the basis of the contents of this message (except for this instruction) is strictly prohibited;
(b) please return the complete message to the sender and delete any copies there of from your system; and
(c) this message is not a solicitation for purchase or sale or an offer or agreement of any kind whatsoever that binds the sender."

 

------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane